Following the earlier reported New York Times story that JetBrains was under investigation by the FBI as part of the SolarWinds hack. The SolarWind attack was a massive breach in cybersecurity at hundreds if not thousands of government and private servers using a malicious update in SolarWinds Orion software, a network monitoring tool. In the NYT article, they implied that JetBrain’s TeamCity CI build tool was either used to attack SolarWinds or in a parallel attack.
Shortly after we published the first story, JetBrains made an initial rebuttal, then in the follow day, another response with much more details:
Based on the public information available (which to date is the only thing we’re aware of as neither SolarWinds nor any governmental agency have reached out to us with any details regarding the breach), it seems that the attack on SolarWinds was targeted at their build process (what the media is referring to as a supply-chain attack). SolarWinds uses TeamCity amongst other tools during the build process. However, at this point, as also supported by the statements of the SolarWinds own spokesperson, there is no evidence that TeamCity had any role in this.
“SolarWinds, like many companies, uses a product by JetBrains called TeamCity to assist with the development of its software. We are reviewing all internal and external tools as part of our investigations, which are still ongoing” a SolarWinds spokesman said. “The Company hasn’t seen any evidence linking the security incident to a compromise of the TeamCity product”, he said.
For the game development crowd, the most important products from JetBrains are their suite of IDEs (IntelliJ, WebStorm, CLion, Project Rider, etc). For those concerned about the security of those products, JetBrains CEO had the following statement:
Does this affect your IDEs and other tools?
Our IDEs are standalone tools and bear no relation to TeamCity, other than the fact that we use our own installation of TeamCity to build them. We have no evidence that indicates that any of our servers or our standalone tools have been tampered with, and much like is the case with TeamCity, we run regular security audits on our tools and systems.
If you are a JetBrains product user, I recommend you read the entire post for complete details. Assuming JetBrains are telling the truth, the New York Times reporting would be irresponsible at best and possibly libelous at worst. You can learn more about the entire saga in the video below. My take at the end of the day, can you trust JetBrains software at this point? Well, as much as you can trust any software these days, yes you can.